Support Questions

cjervis · ‎01-30-2020

Hi All,

I'm trying to enable TLS for Cloudera Manager admin console , below are the commands I followed.

1. Received signed host certificate from IT team ( <hostname>.pem ) , also rootca (root.pem)

2. Copy the JDK cacerts file to jssecacerts as follows:

sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts

3. import rootca cert into JKS store

sudo $JAVA_HOME/bin/keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts -file /opt/cloudera/security/pki/root.pem

4. Created JKS and imported host certificate in keystore.

$JAVA_HOME/bin/keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keystore /opt/cloudera/security/pki/$(hostname -f).jks -keysize 2048 -dname "CN=$(hostname -f),OU=Engineering,O=Cloudera,L=Singapore,ST=Singapore,C=Singapore" -ext san=dns:$(hostname -f)

sudo $JAVA_HOME/bin/keytool -importcert -alias $(hostname -f) -file /opt/cloudera/security/pki/$(hostname -f).pem -keystore /opt/cloudera/security/pki/$(hostname -f).jks

5. creating symlinks

sudo ln -s /opt/cloudera/security/pki/$(hostname -f).pem /opt/cloudera/security/pki/agent.pem

sudo ln -s /opt/cloudera/security/pki/$(hostname -f).jks /opt/cloudera/security/pki/server.jks

6. Enabled TLS from Cloudera Manager admin console

Property Description

Cloudera Manager TLS/SSL Server JKS Keystore File Location	The complete path to the keystore file. For example: /opt/cloudera/security/pki/server.jks
Cloudera Manager TLS/SSL Server JKS Keystore File Password	The password for the /opt/cloudera/security/jks/server.jks keystore.
Use TLS Encryption for Admin Console	Check this box to enable TLS encryption for Cloudera Manager.

7. Restart Cloudera Manager server

Cloudera manager starting successfully however I'm not able to open admin console from browser

sudo netstat -tulpn | grep 7183
tcp        0      0 0.0.0.0:7183            0.0.0.0:*               LISTEN      4664/java

I'm getting below error on browser page

This site can’t provide a secure connection 1.1.1.1 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.

Can someone please suggest what am I missing here ?

paras · ‎01-30-2020

@chhaya_vishwaka

The "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error can happen if a JKS contains multiple certs with similar names.
Run below command for the keystore
# keytool -list -keystore server.jks
The correct cert with be the one with "Entry type: PrivateKeyEntry".
If you find a certificate with "Entry type: trustedCertEntry" and a similar alias name then that is the problem cert.

Remove this certificate from keystore using below steps:

i) Make a backup of the existing JKS.
ii) Stop CM
iii) Remove the cert identified above.
keytool -delete -alas <cert_alias> -keystore server.jks
iv) Start CM and test again.

View solution in original post

paras · ‎01-30-2020

@chhaya_vishwaka

The "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error can happen if a JKS contains multiple certs with similar names.
Run below command for the keystore
# keytool -list -keystore server.jks
The correct cert with be the one with "Entry type: PrivateKeyEntry".
If you find a certificate with "Entry type: trustedCertEntry" and a similar alias name then that is the problem cert.

Remove this certificate from keystore using below steps:

i) Make a backup of the existing JKS.
ii) Stop CM
iii) Remove the cert identified above.
keytool -delete -alas <cert_alias> -keystore server.jks
iv) Start CM and test again.

chhaya_vishwaka · ‎02-05-2020

thanks @paras

Cloudera Community

Support Questions

Enabling TLS for Cloudera Manager admin console